Suspicous code in kdelibs-3.5.2

Wed Apr 5 15:26:00 BST 2006

Hi,

here is a list of suspicous lines of code in kdelibs-3.5.2 without khtml. I've 
checked khtml separately.

------------------------------------------------------------------
Misc problems:
------------------------------------------------------------------
- libkscreensaver/kscreensaver.cpp:224

block is allocated with operator new[] and not deleted with  "delete [] block"

- kdeui/kcolordialog.cpp:429
- kdeui/kcolordialog.cpp:533

The expression LeftButton is always true. I guess the correct line is:
if( !(e->state() & LeftButton)) return;

- kdecore/kwinmodule.cpp:227

Here I guess some braces are missing, maybe you meant:
!(possibleStrutWindows.findIndex( ev->xany.window ) != -1)
The current code cannot be false, because "!possibleStrutWindows.findIndex(
ev->xany.window )" is either true(1) or false(0) and cannot be -1.

- kimgio/tga.cpp:196

When the file is broken and size becomes 0 here, you get a lot of problems in
the following lines.

- kspell2/plugins/ispell/lookup.cpp:310

1 != 1 is always false

- kdeui/knuminput.cpp:653
  kdeui/knuminput.cpp:821 (similar)

Line 652 returns when referencePoint != 0. In line 653 there is a
division by 0.

- kdeui/kdockwidget.cpp:3111

The loop does not iterate. Breaks for the first obj.

- kdeui/kdialogbase.cpp:671

If style == ActionStyleMax, then you get accesses beyond array bounds in
lines 687, 700, 714. Change the second comparison to: 
style >= ActionStyleMAX

- kdeui/kcolordialog.cpp:294
- kdeui/kcolordialog.cpp:234 (similar with xSize)

If xSize becomes 1 or ySize becomes 1 here you have a division by 0 in
lines 308 and 320 

- kdefx/kpixmap.cpp:62

i+n easily reaches the array bound 16. For example if n == 15 and i ==
14, then bm[29][0] is accessed. This is way behind the array bound.

- kdecore/svgicons/ksvgiconpainter.cpp:272
- kdecore/svgicons/ksvgiconpainter.cpp:928

The type of ArtVpath::code is ArtPathcode. This enum does not have the value
ART_END2. As far as I know the standard does not guarantee that ART_END2 can 
be
assigned to this variable.

- kdecore/kiconloader.cpp:1276

The condition is always true because QIconSet::Mode has only 3 values.

- kmdi/kmdichildarea.cpp:520

Maybe it should be asserted that maxWnds > 0. Otherwise numVisible could be 1
and this has the effect that numToHandle becomes <= 0 and that numToHandle-1
lies outside of the colstable bounds.

- kate/part/katedocument.cpp:4655
- kate/part/katedocument.cpp:4657 (similar)

The variable n is not initialized here. It is allocated in line 4595. Then in
line 4606 a long if else if chain begins, that can reach line 4655 without
changing n before.

- kate/part/katefont.cpp:63

A memory leak. wa is allocated in function createRow and not deleted here.

- kabc/vcard/Enum.cpp:229

If e >= EntityUnknown, then you access  behind the array bounds.The bounds are
from [0..30].  EntityUnknown has value 32.

- kio/kio/kservicetypefactory.cpp:283

I guess this error is fatal. Otherwise line 286 crashes.

------------------------------------
Problems involving the NULL pointer:
------------------------------------

- dcop/dcopserver.cpp:1481

If conn is NULL as indicated by line 1430, line 1481 crashes after the if
condition.

- kio/misc/kwalletd/kwalletd.cpp:430

Line 414 indicates that kpd can be NULL. When the while loop at line 420 is
entered line 424 crashes.

- kjs/regexp_object.cpp:244

If lastOvector is NULL as indicated by line 237, line 244 crashes.
- kmdi/kmditoolviewaccessor.cpp:235

If pTargetDock is NULL in line 231, then the if condition is true. When
additionally the condition in line 233 is true you have a crash in line 235.

- kdeui/kcmodule.cpp:82

If instance is NULL as indicated by line 78, then line 82 crashes.

- kdeui/kiconview.cpp:199

If previousItem is NULL as indicated by line 193, then line 199 crashes.

- kdeui/klistview.cpp:295

Line 279 indicates that pitem could be NULL. If this is true, then pi
becomes NULL in line 282 and line 295 crashes.

- kdeui/kurllabel.cpp:365

Line 354 indicates that e could be NULL. The dereference in line 365 and
the following lines lead to a crash.

- kstyles/keramik/keramik.cpp:488

Line 481 indicates that parent could be NULL. Line 488 rashes then.

- kstyles/plastik/plastik.cpp:3096

If the dynamic_cast in line 2991 fails, sw is NULL as indicated by line
2996. If control flow reaches line 3096, then it crashes.

- kstyles/highcolor/highcolor.cpp:428

The if condition at line 417 indicates that p could be NULL. Line 428
crashes in this case.

- kstyles/light/lightstyle-v3.cpp:453

Line 427 indicates that p could be NULL. If control reaches line 453 or
468 the program crashes.

- kstyles/light/lightstyle-v2.cpp:320

Line 295 indicates that p could be NULL. If control reaches line 320 or
338 the program crashes.

- kioslave/http/kcookiejar/kcookiejar.cpp:718

If this condition is true, then lastCookie stays 0. When additionally
the while loop at line 773 is entered there are a lot of NULL pointer
dereferences in the following code. For examle lines 793,799,801, ...

- kio/kio/kdirwatch.cpp:1049
- kio/kio/kdirwatch.cpp:1020 (similar)

If instance == 0 and  newWatching > 0, line 1046 does not exit. Line 1049
crashes then.

- kio/kio/kdirwatch.cpp:1593

Line 1592 indicates that d can be NULL. Line 1593 crashes then.

- kresources/configpage.cpp:265

If the condition at line 260 becomes true, then line 265 crashes.

- kparts/plugin.cpp:97

The error handling in line 92 should prohibit the crash in line 97.

- kimgio/xcf.cpp:1562
- kimgio/xcf.cpp:1299 (similar)

If the switch statement in line 1507 chooses the default type (is the xcf data
format fixed forever?)  merge is a NULL function pointer.

- kdeprint/management/kxmlcommanddlg.cpp:620

If opt becomes NULL in line 573 and the switch in line 585 selects the default
case, then line 620 crashes.

- kjs/nodes.cpp:2878

If _catchs is NULL and _final == 0 line 2878 crashes.

- kjs/date_object.cpp:914

Line 909 indicates that dateString can be NULL here. Then line 914 crashes.

- kjs/internal.cpp:424

If func is NULL as indicated by line 386 and the type is FunctionCode, line 
424
crashes. Maybe an assertion should be here.

-----------------------------------------------------------------
Lines where the operator preference between & and == leads to an error. 
There are some lines of code that look like this:
if (variable & 0xF != 0)  ...
The compiler reads:
if (variable & (0xF != 0))  ...
and not
if ((variable & 0xF) != 0)  ...
The result is that the compiler optimizes such code to:
if (variable & 1) ...
because (0xF != 0) is true and this is equivalent to 1
-----------------------------------------------------------------

- kdecore/kglobalaccel_x11.cpp:215
- kdecore/kextsock.cpp:1250 (The condition is always true)

-----------------------------------------------------------------
Cases from switch statements that fall through in some cases but 
do not have a fall through comment as in most such cases.
------------------------------------------------------------------

- kabc/vcard/Enum.cpp:346
- kmdi/kmdidockcontainer.cpp:299
- kstyles/kthemestyle/kthemestyle.cpp:845
- kstyles/plastik/plastik.cpp:1517
- kdeprint/management/kmwname.cpp:66
- kdeprint/kprintprocess.cpp:78
- kstyles/keramik/keramik.cpp:2312
- kstyles/keramik/keramik.cpp:2875
- kdeui/kstdaction.cpp:63
- kdeui/kseparator.cpp:60
- kdeui/kcompletionbox.cpp:173
- kdecore/klocale.cpp:1899
- kdecore/kglobalaccel_x11.cpp:246
- kabc/vcard/Enum.cpp:441
- kabc/addresslineedit.cpp:337
- kjs/dtoa.cpp:1655

-----------------------------------------------------------------
Lines where boolean expressions are used in non-boolean contexts:
-----------------------------------------------------------------

- kate/part/katebuffer.cpp:1213
- kate/part/katebuffer.cpp:1220
- kdecore/kxerrorhandler.cpp:108
- kdecore/kxerrorhandler.cpp:110
- dnssd/servicebrowser.cpp:208
- kio/kio/authinfo.cpp:142
- kio/kio/kdirlister.cpp:947
- kio/kio/kdirlister.cpp:1524
- kstyles/light/lightstyle-v3.cpp:955
- kstyles/light/lightstyle-v2.cpp:832
- kdeui/kconfigdialog.cpp:197
- kdeui/kconfigdialog.cpp:187
- kdeui/kconfigdialog.cpp:238
- kdeui/kconfigdialog.cpp:228
- kdeui/kkeydialog.cpp:905
- kdeui/kkeydialog.cpp:884
- kdeui/kkeydialog.cpp:768
- kdeui/kkeydialog.cpp:767
- kdeui/kwordwrap.cpp:66
- kdecore/kconfigdialogmanager.cpp:253
- kdecore/kconfigbackend.cpp:565
- kdecore/kconfig.cpp:225
- kdecore/kconfig.cpp:226
- kjs/dtoa.cpp:732
- kjs/grammar.cpp:2888
- kjs/grammar.cpp:2880
- kio/kfile/kpropertiesdialog.cpp:1564
- kio/kfile/kpropertiesdialog.cpp:1572
- kio/misc/kssld/kssld.cpp:740
- kio/misc/kssld/kssld.cpp:759
- kio/kio/slaveinterface.cpp:411
- kio/misc/kfile/fileprops.cpp:140
- kio/kio/kurifilter.cpp:259